You are here
Don't let your cloud rain on your performance
GIVEN the ubiquitous use of cloud computing, and hundreds of free apps on offer in cyberspace, can your cloud turn against you? Is your enterprise adequately protected on the cloud? How can you take full advantage of the pros - while mitigating the cons - of cloud computing?
"The cloud is a whole new frontier for hackers, and they are exploring its potential as an attack vector in earnest," reports the just-released Cisco 2017 Midyear Cybersecurity Report. "They understand that cloud systems are mission-critical for many organisations now. They also recognise that they can infiltrate connected systems faster by breaching cloud systems."
In May this year, Singapore's CSA (Cyber Security Agency) revealed that hackers had attempted to steal government data by breaching NUS (National University of Singapore) and NTU (Nanyang Technological University) defences.
"Attackers are not just targeting government systems; they are looking for any network that is remotely related to the government," CSA CEO David Koh was quoted as saying in May. "Attackers are always looking for the weakest link to exploit."
Singapore's Communications and Information Minister Yaacob Ibrahim urged individuals to practise good cyberhygiene, in his Facebook post in May. "As we become more digitally connected, such threats will continue to increase in sophistication, and both public- and private-sector organisations are equally vulnerable," Dr Yaacob noted.
Cisco says that it has observed an increase in sophistication in hackers who target cloud systems. "In January 2017, our researchers caught hackers hunting for valid breached corporate identities," the company said. "Using brute-force attacks, the hackers were creating a library of verified corporate user credentials (usernames and passwords), potentially using known lists of compromised accounts on the web. They were attempting to log in to multiple corporate cloud deployments using servers on 20 highly suspicious IPs."
Research agency Forrester estimates that global cloud services revenues totalled US$114 billion in 2016, up from US$68 billion just two years ago, an annual growth of 30 per cent.
This is set to cross US$236 billion by 2020. While spending on cloud security solutions is relatively small today compared with total spend on security software, its rapid growth is attracting the attention of more traditional security tech vendors.
Larger tech vendors are quickly entering and consolidating in this space via acquisitions. Cisco acquired CloudLock in August 2016 for US$293 million. BlueCoat acquired both Perspecsys and Elastica in 2015 before being acquired by Symantec in 2016. HPE acquired oltage in early 2015. Microsoft acquired Adallom for a reported US$320 million in September 2015. Oracle acquired Palerra in September 2016. "These well-funded new entrants will help drive growth by incorporating cloud security solutions into their overall product offering," Forrester notes.
Companies are using multiple cloud platforms for different apps, thereby adding a level of complexity which is totally outside their control. IDC Corp estimates that 70 per cent of organisations in the Asia-Pacific region outside of Japan will have multi-cloud architectures by 2018, driving up the rate and pace of change. About 65 per cent of companies who choose a multi-cloud strategy will seek management solutions from external providers to meet the complexities of managing cloud 2.0 environments.
"In the cloud 2.0 era, cloud service buyers will be increasingly drawn from the ranks of business managers rather than from IT managers," says William Lee, IDC's associate director of cloud services research for the Asia-Pacific. "The impact of this on the enterprise will be broad. Decisions will be based on business requirements rather than tech platforms, and much of the funding will be from the business units. For the LOB (line of business) manager seeking business innovation, cloud 2.0 will usher a range of new, industry-focused services and partners from which to choose."
Employees are introducing third-party apps from the cloud - via mobile devices - into the corporate network. These apps touch the corporate infrastructure and can communicate freely with the corporate cloud and SaaS (Software as a Service) platforms as soon as users grant access through open authorisation (OAuth).
The average enterprise today has more than 1,000 unique apps in its environment and more than 20,000 different installations of those apps, the Cisco Cybersecurity report notes.
"The recent phishing campaign that targeted Gmail users and attempted to abuse the OAuth infrastructure underscored its security risk," Cisco reports. "The attackers sought to gain control of users' email accounts and spread the phishing worm to their contacts. Google reported that about 0.1 per cent of its one billion users were affected by the campaign. Cisco threat researchers conservatively estimate that more than 300,000 corporations were infected by the worm."
All this means companies will spend more on protecting vital customer, employee, partner and transactional data. The global spend on data security products and services is set to cross US$86 billion in 2017, up 7 per cent over 2016, and will reach US$93 billion next year, says Gartner Inc. Security services will continue to be the fastest growing segment, especially IT outsourcing, consulting and implementation services. However, hardware support services will see growth slowing, due to the adoption of virtual appliances, public cloud and SaaS editions of security solutions, which reduce the need for attached hardware support overall.
"Rising awareness among CEOs and boards of directors about the business impact of security incidents and an evolving regulatory landscape have led to continued spending on security products and services," says Sid Deshpande, a Gartner principal research analyst.
"However, improving security is not just about spending on new technologies. As seen in the recent spate of global security incidents, getting the basics right has never been more important. Organisations can improve their security posture significantly just by addressing basic security and risk related hygiene elements like threat-centric vulnerability management, centralised log management, internal network segmentation, backups and system hardening."
How do you begin to address the cybersecurity conundrum? According to US-based Saint Corp, CISOs (Chief Information Security Officers) can fill the knowledge gap in the following ways in a company:
- Enable information flows in a meaningful and actionable way for the business. Reports about the organisation's cyber risks or security needs should not be overly technical. Try to align the discussion about these issues with traditional risks that the company faces, and tie them to business priorities and desired outcomes.
- Emphasise how cybersecurity can be a growth enabler and competitive differentiator for the business.
- Explain in clear terms what the impact is to the organisation, especially when alerting management and the board to a cyberattack. For example, how many employees or customers are or might be affected? Which high-value information may have been compromised? What measures is the security team taking to contain and investigate the threat? How long it will take to resume normal operations?
- Engage other leaders in the organisation, including those outside of the IT department. By collaborating regularly with a range of leaders in a company, such as the CIO, the CTO, the CAO (chief audit officer), and the CRO (chief risk officer), CISOs can gain a direct line to senior management and the board. This will also provide a better opportunity to secure a seat at the "top table" to discuss cybersecurity strategies and help develop a comprehensive security programme for the organisation.
CISOs often struggle to secure funding for security initiatives. Now may be the ideal time to discuss budgets with top leadership. The 2017 IT Trends Study from SIM (Society for Information Management) reports that cybersecurity is the third largest area of investment for organisations today. In 2013, it ranked 14th. Respondents to the SIM survey (mainly IT leaders) also ranked cybersecurity second among areas of IT that should receive more investment, and first on the list of information technologies that they find most personally worrisome.
- The author was previously Senior Correspondent with The Business Times.